Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trust and Security for Next Generation Grids, www.gridtrust.eu Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.

Similar presentations


Presentation on theme: "Trust and Security for Next Generation Grids, www.gridtrust.eu Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam."— Presentation transcript:

1 Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam OGF-25-Tutorial

2 Trust and Security for Next Generation Grids, Table of Content UCON in GridTrust UCON in GridTrust eXtended Access Control XML (XACML) eXtended Access Control XML (XACML) Language Run-time Support How we implemented in GridTrust How we implemented in GridTrust Limitations and Extensions Limitations and Extensions Multilateralism Performance

3 Trust and Security for Next Generation Grids, From Access Control to Usage Control Rights Subjects Objects Usage Decision (Authorizations) Conditions

4 Trust and Security for Next Generation Grids, From Access Control to Usage Control AuthorizationsoBligationsConditions Subjects Objects Attributes Usage Decision Rights

5 Trust and Security for Next Generation Grids, Policies Examples Access Control policies Access Control policies Silver Users can use the service from 8:00 am till 8:00pm Managers can read and write Purchase Orders of the all Sales Department while Accountants can only write they own P.O. Users from Server A can run any experiment that uses at most 10GB of disk and 1 GB of RAM

6 Trust and Security for Next Generation Grids, Policies Examples Usage Control policies Usage Control policies Silver Users can use the service only 5 times from 8:00 am till 8:00pm The SendOrder Service can be invoked only after the Log Service has been successfully invoked All mails sent outside the company must be encrypted All data related to a customer must be deleted when its account is deleted Users from Server A can run any experiment that uses at most 10GB of disk and 1 GB of RAM Workflowbased History based Obligations Continuous monitoring monitoring

7 Trust and Security for Next Generation Grids, Policies Examples DRM policies DRM policies (Pay Per Use) - The cost to see this movie is $ 4.00 (Metered Payment) - The cost to see this movie is 1¢/minute (Play n times) – You can see this movie at most 10 times

8 GridTrust Model

9 Trust and Security for Next Generation Grids, Components users PKI GridTrust Services TRS SRB VBE Manager service providers C-UCON ENFORCER VO Library

10 Trust and Security for Next Generation Grids, Virtual Breeding Environment VBE Manager PKI Virtual Breeding Environment

11 Trust and Security for Next Generation Grids, User & SP Registration to a VBE VBE Manager PKI SRB A Virtual Breeding Environment formed by users and different types of services. A VBE manager regulated the subscription of services and users to the VBE

12 Trust and Security for Next Generation Grids, VO: Virtual Organizations VBE Manager PKI VO Manager SRB Any user (VO Owner) may initiate the process of creating a VO by looking for service providers she needs.

13 Trust and Security for Next Generation Grids, VO: Virtual Organizations VBE Manager PKI VO Manager VO SRB The search and join is driven by service functionality and by security policy UCON policies, at this level written using XACML Service Resource Broker that implements a match- maker for XACML policies

14 Trust and Security for Next Generation Grids, SRB: Secure Resource Broker Service Service to match the security policy required by the VO with the policies exposed by service providers Service to match the security policy required by the VO with the policies exposed by service providers Supports XACML as a policy language Supports XACML as a policy language It supports policy integration algorithms It supports policy integration algorithms Trust and Security for Next Generation Grids,

15 VO: Virtual Organizations C-UCON VBE Manager PKI VO Manager VO SRB Users can register to use the VO. The registration consider also the security policies of both VO and User Support for UCON policies

16 Trust and Security for Next Generation Grids, A component used by the VO A component used by the VO Optionally can be also a third party service Implement UCON policy at VO level Implement UCON policy at VO level E.g. Service 1 can be invoked only after Service 2 has been invoked Trust and Security for Next Generation Grids,

17 VO Usage Application VO ENFORCER Virtual Breeding Environment VO user Service1 Service3 Service2

18 Trust and Security for Next Generation Grids, eXtendible Access Control XML (XACML) XML based access control language XML based access control language Simple Syntax, Strong Expressivity Simple Syntax, Strong Expressivity OASIS standard OASIS standard Widely adopted both in industry and academia Widely adopted both in industry and academia Many implementations (both open source and proprietary) Many implementations (both open source and proprietary)

19 Trust and Security for Next Generation Grids, XACML History First Meeting – 21 May 2001 First Meeting – 21 May 2001 Requirements from: Healthcare, DRM, Online Web, XML Docs, Fed Gov, Workflow…. Requirements from: Healthcare, DRM, Online Web, XML Docs, Fed Gov, Workflow…. XACML OASIS Standard – 6 February 2003 XACML OASIS Standard – 6 February 2003 XACML 1.1 – Committee Specification – 7 August 2003 XACML 1.1 – Committee Specification – 7 August 2003 XACML 2.0 – Approved February 2005 XACML 2.0 – Approved February 2005 XACML 3.0 Core Specification under review XACML 3.0 Core Specification under review

20 Trust and Security for Next Generation Grids, Goals Define a core XML schema for representing authorization and entitlement policies Define a core XML schema for representing authorization and entitlement policies Target - any object - referenced using XML Target - any object - referenced using XML Fine grained access control Fine grained access control Consistent with and building upon SAML Consistent with and building upon SAML

21 Trust and Security for Next Generation Grids, XACML – Key Aspects General-purpose authorization policy model and XML-based specification language General-purpose authorization policy model and XML-based specification language Input/output to the XACML policy processor is clearly defined as XACML context data structure Input/output to the XACML policy processor is clearly defined as XACML context data structure Extension points: function, identifier, data type, rule-combining algorithm, policy-combining algorithm, etc. Extension points: function, identifier, data type, rule-combining algorithm, policy-combining algorithm, etc. A policy consists of multiple rules A policy consists of multiple rules A set of policies is combined by a higher level policy (PolicySet element) A set of policies is combined by a higher level policy (PolicySet element)

22 Trust and Security for Next Generation Grids, XACML Syntax

23 Trust and Security for Next Generation Grids, XACML Example =VideoServer =login = Permit = >08h00 and <17h00 = UsersRegs =Deny-Overrides =Multimedia the user can login on a Video Server in the period between 08:00AM and 05:00PM

24 Trust and Security for Next Generation Grids, XACML Schemas Policy Schema PolicySet (Combining Alg) Policy* (Combining Alg) Rule* (Effect) Target Subject* Resource* Action* Environment Effect Condition Obbligation* Request Schema Request Subject Resource Action Response Schema Response Decision Permit Permit w/ Obligations Deny N/A Indeterminate

25 Trust and Security for Next Generation Grids, XACML Combination Algorithms Both at policy level and at rule level Both at policy level and at rule level Used to compute decision result in case of policies/rules with conflicting effects Used to compute decision result in case of policies/rules with conflicting effects rule: rule: rule1: rule2: Trust and Security for Next Generation Grids, Permit-Override John can access Deny-Override John cant

26 Trust and Security for Next Generation Grids, Combination Algorithm Expected Behavior Deny Override A policy is denied if a rule is encountered the effect of which is DENY Permit Override A policy is permitted if a rule is encountered the effect of which is PERMIT First-one-applicable The combined result is the same as the result of the first rule that applies Only-one-applicable The combined result corresponds to the result of the unique rule which applies to the request XACML Combination Algorithms Similarly for policies

27 Trust and Security for Next Generation Grids, Problem: Policy Integration If VO can always impose its policy, combination algorithms are enough If VO can always impose its policy, combination algorithms are enough Simple Not very flexible We want to increase flexibility to increase the chances service provider can join the VO We want to increase flexibility to increase the chances service provider can join the VO Then we cannot impose but we need to integrate VO and service provider policies, thus combination algorithms are not enough.

28 Trust and Security for Next Generation Grids, Example VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] Which combination algorithm to apply?

29 Trust and Security for Next Generation Grids, VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] If Deny-Override HP users cannot read file from 8am till 10am

30 Trust and Security for Next Generation Grids, VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] VO Policy: Any user with an in the.edu or in the.gov domains can read any file. However, no access is allowed from 8am till 12am. [Deny-Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] SP policy: Any user with an in the.edu domain can perform any action on any resource. HP users can read any files from 8am till 10am. However, requests received between 8am till 6pm are denied [Permit- Override] If Permit-Override VO may not be happy that HP users and.edu domain can violate its policy

31 Trust and Security for Next Generation Grids, Propose integration algorithms Stakeholders specify combination algorithms and also which compromise they are willing to accept if they offer their service to a VO Stakeholders specify combination algorithms and also which compromise they are willing to accept if they offer their service to a VO Step1: Normalize policy (First-one applicable) Step1: Normalize policy (First-one applicable) Step2: Compute policy similarity Step2: Compute policy similarity Step3: Specify integration preferences Step3: Specify integration preferences

32 Trust and Security for Next Generation Grids, Policy similarity Rule similarity type Authorized request set R i Converges R j R i Diverges R j R i Restricts R j R i Extends R j R i Shuffles R j R i =R j RiRi RjRj RiRi RjRj RjRj RiRi RiRi RjRj

33 Trust and Security for Next Generation Grids, Policy Integration Preferences VO point of view Converge Override Converge Override VO enforces only its unchanged policy Restrict Override Restrict Override VO enforces also SP policies that do not deny its Deny Override Deny Override VO enforces also SP policies. Request permitted only if all permit it Permit Override Permit Override VO enforces also SP policies. Requested permitted if at least one permit it SP point of view Restrict Override Restrict Override SP accepts that only a subset of its accepted requests will be accepted by the VO Extend Override Extend Override SP accepts requests it doesnt accept will be accepted by the VO Converge Override Converge Override SP demands that its unchanged policy is enforced by the VO

34 Trust and Security for Next Generation Grids, Policy Integration Preferences Restrict Override ExtendOverride Converge Override ConvergeExtendConvergeRestrictConverge Restrict Override ConvergeRestrictConvergeRestrictConvergeRestrict DenyOverrideConvergeRestrictExtendShuffleConvergeRestrictConvergeRestrict Permit Override ConvergeExtendConvergeRestrictExtendShuffleDivergeConvergeExtend VO SP

35 Trust and Security for Next Generation Grids, XACML Runtime Support The Policy Administration Point (PAP) stores XACML policies in the appropriate repository. The Policy Administration Point (PAP) stores XACML policies in the appropriate repository. The Policy Enforcement Point (PEP) performs access control by making decision requests and enforcing authorization decisions. The Policy Enforcement Point (PEP) performs access control by making decision requests and enforcing authorization decisions. The Policy Information Point (PIP) serves as the source of attribute values, or the data required for policy evaluation. The Policy Information Point (PIP) serves as the source of attribute values, or the data required for policy evaluation. The Policy Decision Point (PDP) evaluates the applicable policy and renders an authorization decision. The Policy Decision Point (PDP) evaluates the applicable policy and renders an authorization decision. Note: The PEP and PDP might both be contained within the same application, or might be distributed across different servers

36 Trust and Security for Next Generation Grids, Evaluation Workflow VO User Obligations service PEP (DKM ) PDP Context Handler PIP Resources Attribute Manager Environment Attribute Manager PAP Subjects Attribute Manager 2. service invocation 3. request 12. response 5. attribute query 4. request notification 10. attributes 11. response context 6. attribute query 8. attributes 1. policy 9. resource 7a. subject attributes 7b. Resource attributes 7c. Environment attributes

37 Trust and Security for Next Generation Grids, Our implementation in GridTrust VO ENFORCER Virtual Breeding Environment VO user Service1 Service3 Service2 PEPPEP

38 Trust and Security for Next Generation Grids, Enforcer Extension of SUN XACML PDP to support UCON at VO service level Extension of SUN XACML PDP to support UCON at VO service level At the moment covers only a subset of the XACML specifications At the moment covers only a subset of the XACML specifications In case of denial respond with the rule that caused the deny In case of denial respond with the rule that caused the deny Rollback Rollback Trust and Security for Next Generation Grids,

39 Enforcer (Extended PDP) B. Crispo TNO Groningen PDP OAMSAMHMCM OM APPPLICATION (PEP) Allow?Yes/No/Delay/Modify/N/A Enforcer OAM: Object Attribute Manager SAM: Subject Attribute Manager HM: History Manager CM Consition Manager OM: Obligation Manager

40 Trust and Security for Next Generation Grids, Why PDP Performance is Important? PDP is critical for the overall performance of authorization service The proliferation of service oriented applications S3-like services will face enormous amount of requests requiring authorization decisions

41 Trust and Security for Next Generation Grids, PDP Tested: Sun XACML, XACML Enterprise, XACMLight PDP Tested: Sun XACML, XACML Enterprise, XACMLight Two phases have been tested: Two phases have been tested: Policy Load: Loading of policy/policies from disk to main memory. Policy Evaluation: Request evaluation against loaded policies. Environment: 3.4 GHz Pentium IV CPU, 2GB RAM, 160 GB Serial ATA (7200 rpm) HDD Environment: 3.4 GHz Pentium IV CPU, 2GB RAM, 160 GB Serial ATA (7200 rpm) HDD JVM heap size : 256 MB MB JVM heap size : 256 MB MB

42 Trust and Security for Next Generation Grids, Policy Test Suite Three policy test suites (syntetic policies): Large Number of Policies: 10, 100, 1000 and XACML policies composed of 4 rules. Large Number of Rules: 10, 50, 100, 500 and 1000 rules in a single policy. Policy Similarity: 10 policies with different similarity settings

43 Trust and Security for Next Generation Grids, Large Number of Policies In enterprise/cross-enterprise systems In enterprise/cross-enterprise systems With large number of entities eager to specify access control policies With shared PDP services 1 request is evaluated against 10, 100, 1000 and 1000 policies at a time. 1 request is evaluated against 10, 100, 1000 and 1000 policies at a time.

44 Trust and Security for Next Generation Grids, Large Number of Policies Policy Load

45 Trust and Security for Next Generation Grids, Large Number of Policies (Cont.) Policy Evaluation

46 Trust and Security for Next Generation Grids, Large Number of Rules A single organization A single organization With large number of users and resources Single Point of Control 1 request is evaluated against 10 policies with 10, 50, 100, 500, 1000 rules inside 1 request is evaluated against 10 policies with 10, 50, 100, 500, 1000 rules inside

47 Trust and Security for Next Generation Grids, Large Number of Rules Policy Load

48 Trust and Security for Next Generation Grids, Large Number of Rules (Cont.) Policy Evaluation

49 Trust and Security for Next Generation Grids, Ongoing Work Extend the enforcement by reaction, extending the obligation Extend the enforcement by reaction, extending the obligation Integrating security policy Match-making with Resource Allocation/Scheduling Integrating security policy Match-making with Resource Allocation/Scheduling Improve performance acting both on loading time (more efficient policy representation) and evaluation time (more efficient evaluation algorithms) Improve performance acting both on loading time (more efficient policy representation) and evaluation time (more efficient evaluation algorithms) Considering Continuous Monitoring at service level for some specific applications Considering Continuous Monitoring at service level for some specific applications


Download ppt "Trust and Security for Next Generation Grids, www.gridtrust.eu Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam."

Similar presentations


Ads by Google